Hello. This is my 1st post here so forgive me if its a bit long. heres a little background on me, I'm 26. I was a electrician so i have some basic electrical theory but I didn't like the construction field. After lots of introspection over the past 6 months I've decided that I'm going to become a pen tester. I have always loved computers and had a knack for it. my programming skills are weak right now, I've self taught myself a little bit of objective-c over the past month or so to help my friend develop apps but thats about it so far. I'm not opposed to putting in endless amounts of work to make this happen. I've done a bunch of research over the past month on how to become a pen tester but I rarely see advice for noobs at my level. Would you recommend a B.S. in computer science or information systems security or possibly another I'm overlooking? would you skip the degree and just go for certs? If so which certs in which order knowing my ultimate goal is to become OSCP certified. If I go the certs route which traing programs would you recommend? I realize work experience is big so it would help to start out with something that will get my foot in a door even if the pay isn't great. I've read that its good to go for network security admin then crossover to pen testing, would you recommend this approach? I've only got one shot at this and I want to do it right. Also I'm interesting in the hackingdojo but I'm unsure if I have enough knowledge to start the novice course or not, the site doesn't really list any prerequisites. Any advice from you professionals would be greatly appreciated. Thanks for your time.

edit/reply:Thanks for your replies. I understand the question is sort of common but there is no clear cut path from noob to OSCP. I just wanted a little input based on my particular situation. There are so many ways you can go about getting into this career which makes it unique. If i wanted to be a teacher I'd get a teaching degree, if I wanted to be an electrical engineer I'd get a degree in electrical engineering. Being a pen tester isn't so cut and dry, there are no schools offering ethical hacking degrees. I don't have friends or family in this field or even in remotely related fields to give me any advice or guidance. I could just pick something remotely related to the field and work from there but I'm very OCDish when it comes to decisions and I feel like I need a well planed path to my goals. 99% of the related topics I've seen here the asker has some experience in some random field that kick starts them in a general direction. I guess the simple way to ask my question would be if you were to start from about A+ knowledge and work to become an OSCP, knowing what you do now from your personal experiences how would you do it? where would you start? which training courses would you enroll in?

Last edited by reese66 on Mon Apr 29, 2013 11:04 pm, edited 1 time in total.

reese66 wrote:I realize work experience is big so it would help to start out with something that will get my foot in a door even if the pay isn't great. I've read that its good to go for network security admin then crossover to pen testing, would you recommend this approach?

I imagine it would be difficult to even be a network security admin without experience. You're probably going to have to start as a network admin. Start by going for a CCNA and CCNA: Security. That's a lot of material and will probably take you the better part of a year.

Your primary goal should be landing an entry-level IT position and to start building experience. Small companies can be great to get started with as you'll likely have to wear many hats and consequently get to work with and learn many technologies.

reese66 wrote:I've only got one shot at this and I want to do it right.

I don't understand this. No one I know, especially myself, as gotten to where they are without stumbling and making mistakes. Just keep learning and moving forward, and you'll get there eventually. Realize that this will probably be a 5+ year goal, so break it down into manageable pieces to avoid getting discouraged and overwhelmed.

And +1 to cd1zz. Spend some time going through the forums. There are a large number of long and elaborate responses to this question.

when I said I only have one shot at this I meant that I'm already 26 and had one career not work out for me. I can't afford to botch this by making the wrong choices. I have a wife that depends on me and hopefully kids in the near future. I feel like I got a lot on the line and I just don't want to make the wrong choices. Maybe i'm just a little paranoid about it.

cd1zz wrote:This is probably the most common question here. Seems it comes up at least every week or two, search around and you'll find the same answers on each one.

Where are you located? Depending on your current salary, the strategy may be different.

I'm in western NY and my salary requirements aren't super high, I could make do at $12-$14/hr if it was full time. $16+ would make me pretty happy for the time being. As long as i can pay the mortgage and eat while I get experience I would be content. minimum wage here is about $9/hr so I don't think that would be an unreasonable goal.

Your immediate goal should just be breaking into a general IT position. If you feel the CCNA material will take you too long, maybe consider Network+ and A+. I don't think you'll have trouble meeting your salary requirements, and you'll get a decent bump after you get a year or two of experience under your belt.

I don't think you have much to worry about. You're going to have to work your ass off to get a pen testing position, but even if you later decide that isn't worth it, you should still be able to comfortably provide for your family in a systems or networking position. Whether or not you'd find that to be a satisfying role is up to you though.

Your path will be unique, but as long as you achieve your milestones you can get there. To begin, those milestones should be certs. You certainly don't need a college degree to pentest, some of the best don't have a degree. My personal opinion is that if you can find a IA or IS degree that is a balance between "credibility" and cost, it cant hurt. Who knows, in 10 years you may need that college degree for some type of management gig.

To over simplify the process, and if money is no object here is how I would do it:

CCNA or MCSE -> GPEN -> OSCP ...

You will need to learn how to troubleshoot, that is probably the most important skill that does not come with a cert. As an electrician, you probably already have a knack for this. The ability to quickly analyze and fix issues is imperative.

thanks guys. I actually found a great article here in the columns http://www.ethicalhacker.net/content/view/412/24/ that covers a ton of questions. if any other noobs ask this same question id recommend reading it. after reading it and your advice I decide I will attend my local community college for an associates in information security systems. While attending school I will also study for my CCNA and try to find a entry level IT job and see where it goes from there.

If you are in western NY then your entry level position will rage around the $12-14 maybe more. I am from the Adirondack region and entry level around here is at about $15-$17 so I can only assume the bigger that region the higher the salary. I took that track I went to out local community college and got my AAS in Computer Information Systems. I'm not moving into the security field. I have a few contacts in that area if you need an internship. PM me any time with questions.